Data sources encountered during my SecOps career

During my SecOps career I monitored event logs from multiple vendors. Below are concise notes on a few common sources I worked with.

Primary vendors & systems

Microsoft Windows Server
Windows Event Logs, Sysmon and Defender alerts — essential for endpoint and identity signals.
F5 BIG-IP WAF
HTTP access and WAF event logs — used to detect web application attacks and anomalous requests.
Okta (System / Audit Logs)
Authentication, MFA and admin events — critical identity and access telemetry.
Trend Micro (EDR)
Endpoint telemetry and EDR alerts — process, file and network events useful for detection and response.
Microsoft Defender (EDR)
Endpoint detection and response telemetry — alerts and process/file/network signals for detection and containment.
FortiGate (Firewall)
Firewall and traffic logs via syslog — network flows, blocked connections and VPN events for perimeter and network-level visibility.
Forcepoint Proxy
Proxy logs and URL filtering events — visibility into web access, blocked sites and potential data exfiltration via web channels.
Zscaler Internet Access (Proxy)
Cloud proxy and URL filtering logs — internet traffic, policy enforcement and TLS inspection events for web gateway visibility.
Zscaler Private Access (VPN)
Tunneled application access and session logs — user-to-app connection events and access decisions for secure private access visibility.
Office365 / Microsoft 365 (Audit Logs)
Exchange, SharePoint, Teams and Azure AD audit events — user and admin activity, file access and mailbox events for collaboration and identity visibility.

Combining endpoint, identity and application-layer telemetry gives broader visibility and enables higher‑fidelity detections.

I can produce short checklists or SIEM parser templates for these sources on request.